[TriLUG] To CAcert or Not To CAcert?

[Brian Henning via TriLUG]

My $0.02:

SSL has two primary, orthogonal functions:
1) Keep outsiders from listening in on our conversation
2) Assure one or both of us that the other is who they claim to be

Certificates are most important in part (2), though common SSL setups require a certificate to exist even to do part (1).  Let's Encrypt facilitates part (1), but by offering "an X.509 Certificate for 'free' to anyone," does little or nothing to uphold part (2).  CACert's value is in being a noncommercial broker of part (2).

That's my understanding, at least.

-The "other other" Brian

-----Original Message-----
From: TriLUG [mailto:trilug-bounces+bhenning=pineresearch.com at trilug.org] On Behalf Of Brian McCullough via TriLUG
Sent: Thursday, March 15, 2018 12:44 PM
To: Triangle Linux Users Group discussion list <trilug at trilug.org>
Subject: [TriLUG] To CAcert or Not To CAcert?

Since there are quite a few on this list who have either performed CAcert Assurances or had one performed for themselves, I thought that I would ask where the wind was blowing these days.  I might ramble, so please bear with me.



For the people who aren't aware, I will quote from the website:
cacert.org:

=====

CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.

CAcert's goal is to promote awareness and education on computer security through the use of encryption, specifically by providing cryptographic certificates. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the internet. Any application that supports the Secure Socket Layer Protocol (SSL or TLS) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.

=====

There are effectively two levels of membership in CAcert.  The first is membership in the Community, which gives you the ability to create and use X.509 certificates issued by CAcert on your behalf.  Beyond that, Community Members may voluntarily assist with donations of money, time or goods, because there is always work to be done and expenses to be
paid.   For instance, all Community Members are automatically members of
the Policy Committee, and may participate in discussions and votes on the Policies of CAcert, as they choose.

The second level of membership is that of Membership in CAcert, Inc., the non-profit organization that manages the assets and operations of CAcert, and was formed fifteen years ago.  Membership involves an application and a nominal annual fee, and allows voting in the Annual General Meeting and other such meetings.  That membership also allows membership in the Board of Directors.


OK, now that I have discussed some history and background, I want to ask my question, for both the people who have participated or are currently participating in CAcert in some way, and for those who have not.

Considering that there are services such as Let's Encrypt, which offers an X.509 Certificate for "free" to anyone, for a short, renwable, period, is CAcert's Web of Trust, Community and independence from commercial Certificate Authorities such as Verisign, still attractive to the TriLUG community and the world at large?


I look forward to a lively discussion, as we frequently have here.



Thank you,
Brian

--
This message was sent to: Brian <bhenning at pineresearch.com> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web	: https://www.trilug.org/mailman/options/trilug/bhenning%40pineresearch.com
Welcome to TriLUG: http://trilug.org/welcome